The gist of the U.S. complaint is that China's newly promulgated directive on the use of VPN (Virtual Private Network) encrypted circuits from foreign nations runs afoul of Article 5(c) of the Annex on Telecommunications of the General Agreement on Trade in Services (GATS). The U.S. alleges that "this provision was designed specifically to ensure access to leased lines and other services (e.g., VPN services..." Apart from the current reality that the U.S. Administration has been attempting to destroy the WTO and its agreements including calling for a Trade War, the complaint is factually wrong, and the notion from a cybersecurity standpoint is simply profoundly wrong-headed.

The complaint is disingenuous

First of all, the WTO Agreement and Annex on Telecommunications being referenced here emerged from negotiations in the 1986-1994 timeframe in conjunction with the ITU 1988 Melbourne Treaty which enabled the use of international leased lines for the first time for services to the public, including datagram internets. The WTO Agreement and Annex are explicitly included in the Melbourne Treaty reference materials.

The implementation of the Art. 5(c) was expressly predicated on nations following ITU-T standards. (I can credibly assert this fact because I was the ITU representative to the GATS meetings who proposed placing the provisions into the draft agreement!) However, several years later, the Clinton Administration, decided to pursue a strategy of unilaterally ignoring the ITU 1988 Melbourne Treaty obligations and the standards that were intended to be used. Today, the U.S. has essentially walked away from their development, while China has continued to invest considerable resources in their continuing evolution and application for uses such as VPNs in conjunction with data centres.

The ITU-T itself published multiple international standards for VPN, that include: Rec. ITU-T Y.1311, Network-Based VPNs — Generic architecture and service requirements (03/02); Rec. ITU-T Y.1314, Virtual private network functional decomposition (10/05); Rec. ITU-T Y.2215, Requirements and framework for the support of VPN services in NGN, including the mobile environment (09/06). There are also two relatively recent ITU-T standards: Supp. 30 to Rec. ITU-T X.805, Security guidelines for mobile virtual network operators (17/09). Indeed, the entire ITU-T Y.3500 series which U.S. industry helped develop, cover trusted use of VPN in conjunction with the use of data centres.

The MIIT directive provisions are on their face reasonable

If one actually makes the effort to read the MIIT Telecom directive, it takes a number of sensible steps toward the three stated goals:

The directive is not significantly different than many other telecommunications oversight agencies worldwide in order to focus on the security of its public telecommunications infrastructure, and any concerns over excessive actions and burdens are not supported by multiple published assessments.

Indeed, the United States' own government body — the U.S.-China Economic and Security Review Commission - recently reviewed the same MIIT regulations and found that "the degree to which the new VPN control measure will target businesses or individuals is not clear" and that "the language of the MIIT statement is ambiguous, citing the necessity of approval for 'information channels to conduct cross-border business activities.'" In fact, the Commission goes on to extoll an announcement at the same time of considerable further investment in China's national broadband infrastructure.

A leading international law firm based in the UK, Taylor Wessing, stated ”in our view, at least in the context of Circular 32, most companies using VPNs do not need to be overly concerned by either of these issues" and explained in some detail their analysis.

Other media also indicated that the Ministry of Industry and Information Technology has said that authorized VPNs will be authorized to conduct business as usual and that the new restrictions only apply to companies using unauthorized VPNs.

Although the present U.S. Administration may be ignoring the problem, other nations plainly are not. The challenges are complex, and the adverse consequences are significant. The bottom line is that no rational nation is likely to allow unknown and untrusted encrypted tunnels into its national telecommunication and information infrastructure from another nation without a substantial intergovernmental agreement on the associated controls. This is exactly what the MIIT is doing, and the U.S. government should be doing the same.

The U.S. should resume working in ITU-T forums on appropriate standards

When it comes to interconnecting network end-points across borders using encrypted VPN tunnels — especially when the end-points reside in data centres — nations will require verifiable implementation of needed international standards as part of the intergovernmental agreements. Otherwise, the use will be restricted to domestic implementations, and those offering the services will have to replicate their implementations at data centres physically located within every nation. Every new transnational networking technology has faced the same challenge.

Nations who try their hand instead at bilateral bullying may persuade a few nations to go along with them. Wise nations with a global leadership vision will leverage existing multilateral instruments and organizations like the WTO — ITU ensemble. Work already exists in ITU's Study Groups 13 and 17. The U.S. should try using it again.

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

So, what are the ITU-T standards for customer-equipment-based VPNs? The ones I find are all for network-based VPNs which've been pretty much abandoned for failure to meet basic business (not technical) security requirements.

It is not clear that some of the existing Y and X series standards don't have enough flexibility to accommodate a wide variety of VPN instantiations. The standards were largely developed by U.S. and European providers and equipment vendors.

However, if one is going to be filing complaints to the WTO that are reliant on standards in a particular venue, it might be wise to have the foresight to have ensured those standards exist in that venue. Hence the admonition to engage in SG13 and SG17 at the end of the article. On the other hand, if one is just going to call for trade wars, it is not clear what purpose is being served by filing a complaint at all.

I know they have a certain amount of flexibility. But as far as I can see they don't have the flexibility to prevent the network operator from accessing the data flowing across the VPN (because the network operator is the one operating the VPN and it's endpoints and they have access to all the encryption keys). That's where those standards run headlong into the business security requirement that the data remain secure vs. the network operator who isn't authorized to see it.

Tony
I hadn't known this history. I bumped into this article while researching CJK at standards, something you taught me.
Separately, apologies for not following up on your ISOC history bit. I just never seem to catch up.